Jon and I didn't discover a serious general 802.11 flaw, thats is
where alot of confusion around this issue comes from. We discovered
that in general 802.11 drivers didn't malformed frames very well. The
flaws that were discovered (there were far more than one) were
specific to certain types of chipsets (atheros, broadcom, etc...). As
far as the articles go I didn't write you. If you look at mine and
Jon's quotes in each article you will see something along the lines of
"this is a systemic problem that affects the entire industry".

As far as when we used a third party card for the video demo. Alot of
Mac fans were very upset and felt that it wasn't fair because nobody
uses a third party card. That was the entire point of the demo. If we
had to do it live and someone got a copy of the working exploit we
didn't want it to be in something that actually affected anyone. As
far as confirmation you will see we never confirmed publicly which
vendors were affected. And once again I never said I wanted to stab
the mac community in the eye, I said that about the actors in a
commerical.

As a side note I have to mention the statement that Secureworks issued
clarifying the video. She forgot to mention to reporters that
statement was created in cooperation between Apple PR and Secureworks
PR. Although Apple PR really wanted the statement to be extended to
cover any demos given in person (Krebs, anonymous Blackhat employee)
Secureworks couldn't do that. Minutes after this was posted Lynn Fox
started pitching reporters a story that Secureworks had changed its
story based on the update. If you actually read the Secureworks
statement it just covers the video and says nothing I didn't say in
the video twice. I suppose her omission of this information was
designed to make it appear Jon and I were frauds and thus make a big
story. I suppose the headlines "Apple asked Secureworks to clarify
their video, Secureworks obliges" would not have been as sensational
or given the Mac zealots ammunition to drag Jon and I through the mud
for months. I also find it funny the only real news outlet that ran
the Secureworks changes position story was Macword. Here is a funny
note, the guy who wrote the story, Jim Dalrymple never contacted Jon,
myself, or Secureworks for any reason during the entire fiasco.
It doesn't matter much to me anymore as I have yet to met a client of
Errata Security (the company i formed after leaving Secureworks) that
thinks I faked it all. Also I am in the process of writing a book
about horror stories of when responsible disclosure goes wrong with
Apple being the flagship issues. Everything that happened will be
detailed. As far as security research into Apple I haven't done much
else in the last few months and I flat out refuse to report any issues
to Apple security anymore because of two things. One is that i don't
trust their PR department not to try and smear me again, i feel that
their handling of the Secureworks statement pretty much proved this.
The second reason is simple: Apple apparently has more leaks than a
sinking ship. How do I know this? Several of the bloggers who were
calling for my head on a platter had information I had given to just
one person at Apple and that no-one else knew. Its almost like pro-mac
bloggers have a hotline to the 2 or 4 person security group at Apple.
If a company wants me to keep details of a vulnerability private, they
can at least do the same.

So what is the take away from this? It was a very poorly handled
situation by everyone involved, except Jon. Jon had no real control of
any of this and in the end I realized I didn't either. I lost all
control when I allowed marketing people to make decisions about
vulnerability disclosure. However I did make some mistakes. I should
have never talked to a reporter about something we were not ready to
make public. I should have realized Apple would have responded the way
they did and just dropped full details of the exploit or not said
anything at all. With that being said I have never been a fan of full
disclosure, and I am still not, unless its a vendor that has acted in
bad faith.
How could it have been handled differently by Apple? I have reported
alot of vulnerabilities to alot of vendors and never once have I had
the PR department respond to something. Take the Dell and Toshiba
Bluetooth stack issuse. We reported it to security, we worked with the
engineers to fix it (and strangely information we gave to the
engineers didn't end up on blogs), and only after everything was fixed
(the process took about a month and a half) did we talk to their PR
group to coordinate a joint release.

With all this being said I am shopping for a new TV to make best use
of my new Apple TV. I write this on a new Macbook Core Duo 2 while
listening to my ipod play an audiobook (World War Z) that I bought
from iTunes. If you didn't know better you could also say I am a
walking commercial for Apple.

On 2/3/07, Dave Schroeder <das (at) doit.wisc (dot) edu [email concealed]> wrote:
> On Feb 2, 2007, at 11:02 PM, David Maynor wrote:
>
> > If you don't like the rsponse don't be mad at me, email
> > product-security (at) apple (dot) com [email concealed] and demand a timeline for when these types
> > of features will be added.
>
> Right now, I'd even settle for a basic EOL schedule for OSes...
>
> I do have some serious questions on this topic of Mac OS X security.
> Fanboy issues and incorrect beliefs held by many about Mac OS X
> security aside, I think there is a problem with the way Apple
> security issues are dealt with, including your wireless vulnerability.
>
> You discovered a serious general 802.11 vulnerability that affected
> many wireless chipset and driver combinations, and could affect Mac
> OS X, Windows, and Linux. You chose to demo the issue on a MacBook
> running Mac OS X - which is perfectly fine - in part, to show that
> Mac OS X is indeed vulnerable to security issues, and even general
> ones that affect multiple platforms at that. It's time people,
> including Apple, wake up to a lot of these issues, or there *will* be
> a rude awakening coming, reminiscent of the Microsoft of five years
> ago. It took Microsoft *years* to pull itself out of that, and it's
> still a work in progress.
>
> However, that brings me to a question. When a general, severe 802.11
> vulnerability is discovered and revealed, one which affects multiple
> chipsets, drivers, and platforms, how is it fair, or even helpful to
> any reasonable Mac OS X security discourse, to have IT and mainstream
> press all over splash headlines like "MacBook hijacked in 30 seconds
> - wirelessly", and generally make it appear to the casual reader that
> this is ONLY an Apple problem, ONLY a Mac OS X problem, and a problem
> with the new flagship consumer laptop to boot? I'm not saying YOU
> wrote any of these articles; you're the researcher, not the
> journalist. But I would like your opinion on the handling of that
> issue, which was much broader than Mac OS X, in the media.
>
> One corollary question to this would be, why was the third party USB
> wireless card's brand and identity hidden because of what was stated
> to be "responsible disclosure", while it was simultaneously asserted
> that the MacBook's internal wireless was (essentially) identically
> vulnerable? You can see why some people would find that seeming
> discontinuity somewhat unfair. Again, this is NOT an accusation: it
> is a legitimate question. I have since come to understand that maybe
> the media was to blame for the handling and presentation of this
> issue. However, I'm still wondering what your own personal thoughts
> on this are, given that you were one of the codiscoverers and
> presenters of the issue.
>
> For some reason, I get interpreted as an Apple "fanboy" because I
> defend Apple on issues like this. Me saying "hey, this affects way
> more platforms than Mac OS X" or "targeting only Apple is a bit
> unfair here" somehow gets construed as trying to "FUD" the issue
> away, or somehow claim that Mac OS X is invulnerable (which I have
> never remotely said, and is also wildly inaccurate to boot). Apple
> has serious issues that need to be dealt with in regard to security
> response and issue handling, the way big reporting is handled in
> general, and the way it interacts with enterprise markets (of which
> security is an integral part). What I'm concerned with is making sure
> the debate is an intelligent and useful one, not having sky-is-
> falling headlines splashed every time Mac OS X is vulnerable to
> something, while, ironically, another Windows remote exploit
> requiring no user interaction is making the rounds.
>
> I don't think the "fanboys" are anything that really needs to be
> worried about. What the concern should be is getting ordinary users
> to understand that there are security issues to be aware of on Mac OS
> X as any other OS. I believe that any changes at Apple with regard to
> this will come from the enterprise marketplace. However, Apple really
> isn't an enterprise company even though it occasionally dons
> enterprise garb. Every positive change I have seen in Apple security
> response to date has been a direct result of coordinated requests
> made from the Mac "enterprise" community, which consists not really
> of "enterprise", per se, but rather mostly of academic and government
> research institutions. Some specific examples of these positive
> changes were:
>
> - More security issues began being handled in a more granular
> fashion, instead of being reserved for the next major OS update. This
> was done in direct response to feedback from the enterprise community.
>
> - Apple's descriptions of security updates were always incredibly
> vague. After much feedback in this area, Apple began describing much
> more explicitly what was fixed and changed, citing the appropriate
> advisories and CVE numbers, and acknowledging discovery/reporting.
>
> - Apple rarely interacted with external security advisory
> clearinghouses like US-CERT, Secunia, MITRE, and so on. There has
> been an improved effort to update these clearinghouses with
> information pertaining to Apple on issues.
>
> - Occasionally (instead of never) providing security updates for
> recent point versions of the OS, instead of always mandating that it
> be the latest in the series. E.g., 10.4.3 and 10.4.4 instead of
> 10.4.4 only.
>
> There's room for a LOT of improvement, but these are measurable
> improvements nonetheless; my point here is that there has been
> positive movement. So, how do we get more, and keep that going?
>
> I see MacEnterprise.org, a quasi-Apple-affiliated group of Mac
> "enterprise" users as being the primary conduit for getting this kind
> of information into Apple. I'm not saying the general userbase won't
> have value...but how does the general userbase "get" Apple to
> respond? By getting people all riled up and having a constant stream
> of negative mainstream press about Apple security (and usually
> inaccurate at that, or at least failing miserably to grasp the nuance
> or particulars of the situation)? By slapping down "fanboys" in some
> ridiculous back and forth where both sides accuse each other of
> ridiculous conspiracies to either artificially prop Apple up or tear
> it down?
>
> I see this happening in Apple from the organizational side. Some see
> it happening from a technical side. Organizational has to happen
> first. Security response has to become primarily a technical
> engineering group in Apple, not a product marketing one. Security
> design and audit needs to be preemptive, proactive, and continuous.
> Security technologies such as you speak of need to be integrated into
> the operating system. Engineers need to be able to *directly
> communicate*, *officially* with security researchers and others
> reporting issues. Bug reporting and emailing product-security can't
> be the black holes and one-way conduits they usually are.
>
> So, as a technical security researcher, what is your opinion, on some
> of what I'm bringing up here? You're intimately aware of these
> issues, and have been a part of some of them yourself. Is anything
> said here unreasonable?
>
> Thanks,
>
> Dave
>
>